INPLP article May 11, 2021

 in Privacy

Fine of €475,000 for reporting data breach 22 days to late.

According to a press release of April 6 the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a €475,000 fine on because the company took too long to report a data breach to the DPA into compliance with Article 33 GDPR.

22 days to late was informed of the data breach on 13 January 2019, but did not report the breach to the DPA until 7 February, which is 22 days too late: data breaches must be reported within 72 hours where feasible. On 4 February 2019 informed the affected customers of the breach. The company also took other measures to limit the damage, such as offering to compensate any losses.

Risk of falling victim to serious theft

The criminals involved obtained the personal data of over 4,000 customers and credit card information of almost 300 people. By persuading hotel staff to reveal the log-in details for their accounts in a system the criminals gained access to the data of 4,109 people who had booked a hotel room. The criminals also tried to get hold of the credit card information of other victims, by posing as staff in emails or on the telephone.

‘ customers ran a risk of falling victim to serious theft’ says DPA deputy chair Monique Verdier, ‘even if the criminals didn’t obtain credit card information but only someone’s name, contact details and booking information. After all, those details could be used by fraudsters for “phishing” expeditions.’

‘By posing in emails or on the phone as hotel staff, they attempted to steal money from people. Such an approach can seem highly credible if the fraudster knows exactly when you made a booking and what room you booked, then asks you to pay for the nights in question. Large amounts of money can be stolen in this way.’

‘This is a serious violation,’ Ms Verdier says. ‘Unfortunately, a data breach can occur anywhere, even if you have good precautionary measures in place. But in order to prevent harm to customers and future attacks, you have to report a breach on time.’

‘Taking rapid action is essential, not least for the victims of the breach. After receiving a report the DPA can order a company to immediately warn those affected. This can prevent criminals having weeks in which to attempt to defraud customers.’

Huge responsibility

According to Ms Verdier, ‘A company of this size, which stores valuable personal data of millions of customers in its systems, has a huge responsibility. Customers are entrusting their personal data to And the company must do everything it can to protect that data properly. That means not only ensuring good security to prevent breaches, but also taking rapid action if the worst should happen.’

International investigation

The investigation into the breach was international in scope. The situation involved an international company with customers from a range of countries.’s global headquarters are in the Netherlands, which is why the Dutch DPA performed the investigation. Since this was an international matter, the DPA coordinated the investigation with other European data protection supervisory authorities.


Data breaches can occur anywhere, even if you have the necessary precautionary measures in place. Nonetheless, it is essential to report a breach in time to prevent (further) harm to customers. This is also important for a DPA to take the necessary actions. Luckily, the number of reported breaches in the Netherlands is 30 % more in 2020 than in 2019. Notifying the DPA is not necessary in case no harm for customers is to be expected. However, for these cases you have to register the data breach in your internal register for accountability purposes.

In general, it is advisable to notify the DPA within 72 hours, even in the situation you are not 100% sure about the severity of the impact of a data breach for customers. Even more so because of organizational issues, as the Dutch DPA does not have nearly enough personal staff to investigate all reported data breaches. Therefore, it is time and cost efficient for the DPA to at least investigate breaches that are reported to late, as low hanging fruit. Lastly, do not hesitate to promptly notify a DPA, as you can always alter or amend your notification at a later stage.

We should not forget that data breaches could happen to the best of us, how good your precautionary measures may be. However, as the breach demonstrates, a timely report of a data breach could prevent serious further economic and reputation damages.

Recente berichten
  • 8 juni 2022

    Vakantiedagen tijdens ziekte, een hoofdpijndossier

    Marion Hagenaars
    “Op vakantie naar Ibiza als je ziek bent, zonder dat deze dagen worden afgeboekt, is dat niet gek?”, werd mij de week gevraagd. Met de zomervakantie in zicht een actueel vraagstuk.  Vakantiedagen, zo eenvoudig is het niet Vakantiedagen, het lijkt zo eenvoudig: je bouwt ze eerst op en daarna neem je ze op. Maar de
    Lees verder
  • 25 mei 2022

    Besmette persoonsgegevens – De Ziggo soap

    Sil Kingma
    Klanten van Ziggo ontvingen afgelopen week een email met de aankondiging dat zij de prijs van haar abonnement met 3,50 Euro gaat verlagen. Sympathiek zou je denken. Er bleek echter een addertje onder het gras te zitten.  In diezelfde email kondigde Ziggo aan haar algemene voorwaarden per 1 juli as eenzijdig aan te passen. Bij
    Lees verder
  • 16 mei 2022

    AP voert cumulatieve boetebevoegdheid maximaal door

    Sil Kingma
    Het is voor het eerst de geschiedenis dat de Autoriteit Persoonsgegevens in een besluit een zestal overtredingen van de AVG constateert. Alle overtredingen hebben betrekking op het gebruik en de beveiliging door de Belastingdienst van haar applicatie Fraude Signalering Voorziening (FSV). FSV was een applicatie waarin signalen werden opgenomen over vastgestelde fraude en signalen die konden wijzen
    Lees verder

Plaats een reactie